- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 2 Dec 2009 11:36:22 -0800
- To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Cc: Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>, public-web-security@w3.org
Meta note: This message is CC'd to both ietf-http-wg and the new public-web-security list <http://lists.w3.org/Archives/Public/public-web-security/>. I gather that TPTB want this discussion moved to public-web-security, so please treat this email as the splice in the conversation and remove ietf-http-wg from the CC list of any replies. On Mon, Nov 30, 2009 at 8:28 PM, "Martin J. Dürst" <duerst@it.aoyama.ac.jp> wrote: > On 2009/12/01 4:00, Tyler Close wrote: > >> Consider a webbot that sends a PUT request to a resource on the >> open Internet, which responds with a 307 to a resource behind the same >> firewall as the webbot. The webbot has essentially punched a hole in >> the firewall. > > Yes, the webbot has done this. One has to be very careful when running stuff > such as webbots, make sure they are either inside or outside the firewall, > but not both, unless you know exactly what you're doing. This not only > applies to PUTs, but also to GETs. Yes, where obeying SOP rules is part of how you "be very careful". > On the other hand, if I write (e.g. using libcurl or whatever) a "webbot" > that periodically checks the balance on one of my bank accounts and > transfers money from another bank account of mine if the balance on the > first bank account is low, then I don't see why anybody would want to forbid > this. I am *not* suggesting it should be forbidden. Just as a user-agent permits a user to copy-paste data between origins, so should a webbot be permitted to do the same. The SOP rules apply to what content from a given origin may be allowed to do, not to what the user may do. For example, using your scenario, content from the first bank account (the one you're are checking the balance of), should not be able to determine the balance of the "another bank account". Only the webbot should be able to do this. This same reasoning applies to the "stylebot" example in Adam Barth's message. The "stylebot" can be implemented without violating SOP restrictions. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 2 December 2009 19:37:11 UTC